Bug#992692: general: Use https for {deb,security}.debian.org by default

To: 992692@bugs.debian.org
Subject: Bug#992692: general: Use https for {deb,security}.debian.org by default
From: Paul Wise <pabs@debian.org>
Date: Fri, 3 Sep 2021 02:42:29 +0000
Message-id: <[🔎] CAKTje6Erb30aFM0RJ15CP3xoPSCrGH-QMbF+=iKSRD=g+AFhHg@mail.gmail.com>
Reply-to: Paul Wise <pabs@debian.org>, 992692@bugs.debian.org
In-reply-to: <[🔎] 05e10c80e1efa01c0c4d110c2ce14391bc35c189.camel@43-1.org>
References: <[🔎] YS9EywR3MQKlBn47@alf.mars> <[🔎] 3be2fcffdc1187466bd56e19e61a405a51e6e936.camel@43-1.org> <[🔎] 87r1e82w28.fsf@hope.eyrie.org> <[🔎] 20210902102215.f99248e0ff859b8cc478128b@iijmio-mail.jp> <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] d6217ac5-2e80-469b-e8fd-082c7bd23f0f@debian.org> <[🔎] 05e10c80e1efa01c0c4d110c2ce14391bc35c189.camel@43-1.org> <162963701727.2536441.3655242380753523899.reportbug@tiny>

On Thu, Sep 2, 2021 at 9:06 PM Ansgar wrote:

> Accessing www.debian.org will also not work on such systems (and unlike
> deb.d.o that does not even offer non-https). It's not Debian's problem.

The Tor onion services offer alternatives to the https PKI:

https://onion.debian.org/

> Is replacing deb.d.o by a non-CDN feasible?

security.d.o mirrors were getting overwhelmed after Linux kernel
updates, which is why that switched to the Fastly CDN, so probably
not. Also, the entire point of the deb.d.o domain is that it be backed
by a CDN.

httpredir.d.o was an alternative CDN-like thing that was based on HTTP
redirects to the mirror network. It had lots of problems, but now that
we have a mirror checker and zzz-dists, perhaps it could work better.
The mirror:// method in apt has probably improved since then too.
Maybe http redirects to local mirrors could be feasible again, but it
would take a lot of work.

https://mirror-master.debian.org/status/mirror-hierarchy.html

> As far as I know there is also at least https://cdn-aws.deb.debian.org/
> if you don't like Fastly.

And there are other CDNs that could potentially be used.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: David Kalnischkies <david@kalnischkies.de>

References:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>

Prev by Date: Re: Finding rough consensus on level of vendoring for large upstreams
Next by Date: Re: Finding rough consensus on level of vendoring for large upstreams
Previous by thread: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by thread: Bug#992692: general: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread